WannaCry ransomware crisis, one year on: Are we ready for the next global cyber attack?

The hard-drive encrypting malware spread so fast because the group behind it had combined normal malware with EternalBlue, a leaked NSA hacking tool which allowed WannaCry to use worm-like capabilities to self-propagate on vulnerable Windows systems.

While there was some initial speculation that WannaCry was spread in an email spam campaign, the ransomware didn’t in fact require any user interaction at all. Combining EternalBlue and another leaked exploit in the form of DoublePulsar, the worm looked for vulnerable public-facing SMB ports it could establish a connection to.

Once these were located, the leaked SMB exploits were harnessed to not only deploy WannaCry on that particular system, but to spread to all other vulnerable machines on the connected network. In essence, even just one open, vulnerable SMB port could lead to a whole network being infected by the ransomware.

Spanish mobile operator Telefónica was one of the first major organisations to report problems caused by WannaCry, while by the afternoon of the 12th May, the UK’s NHS was reporting problems, with systems down at hospitals and doctor’s surgeries across the country, forcing the cancellation of thousands of appointments and ambulances to be rerouted. It led to the first meeting of the UK government’s emergency COBRA committee because of a cyber attack.

French car manufacturer Renault and German railway firm Deutsche Bahn were other high profile victims in Europe, while Russian government ministries and companies were also hit, with FedEx another major victim.

The ransom note told victims their files were encrypted and their documents, photos, videos and databases were ‘no longer accessible’ and that ‘nobody can recover your files without our decryption service’.

The attackers demanded $300 of bitcoin to be sent to a specific address and threatened to double the ransom if it wasn’t paid within three days. If the victim didn’t pay within a week, they were threatened with their files being permanently deleted.

WannaCry ransom note.

Image: Cisco Talos

Cyber-security researchers always warn users not to pay a ransom to criminals, and when it came to WannaCry that advice was no different – especially as researchers discovered that even if victims did pay, the sloppy coding behind the ransomware meant it couldn’t associate payments with specific victims, so didn’t send out a decryption key. That is if the decryption key worked at all, which researchers concluded it didn’t.

In addition to this, while many ransomware schemes pride themselves on offering ‘customer support’ to ‘help’ the victim through the payment process, WannaCry didn’t offer any of that.

As the hard-drive scrambling malware spread, cyber security researchers around the world quickly tried to get to the bottom of what was going on.

Among them was Darien Huss, senior security research engineer at Proofpoint.

Huss was tasked with attempting to reverse engineer a sample of the code – while he was at his parents for Mother’s Day.

“All my cousin’s were running around, while I was sitting at my grandmother’s dining room table,” he told ZDNet. He quickly made an important discovery.

“The kill switch was in the very first lines of code, so I noticed it immediately and started playing around – if this domain is registered will it stop its activity?” he said.

Indiana Huss shared his findings with Marcus Hutchins — AKA MalwareTech — a British cyber-security researcher who took a chance and registered the at-the-time unregistered domain of the kill switch, which redirected the WannaCry requests into a sinkhole server.

That meant that even if the infection hit machines, the attack was useless and unable to perform encryption or carry out any tasks – the research work had rendered WannaCry useless.

The high profile nature of the incident arguably brought cyber security — particularly ransomware — into focus for the wider, general public.

“Wannacry raised awareness for the phenomenon of ransomware in general. The financial sector was already familiar with this but other sectors were less aware. Because of all the attention Wannacry got last year, this has changed. Although we do still believe that prevention efforts need to be continued,” a Europol spokesperson told ZDNet.

But a year on, have lessons been properly learned, or despite the hype around the attack, have people just forgotten about security again?

“For organisations, I do think that many of them have learned about patching and security, but not enough,” Maya Horowitz, threat intelligence group manager at Check Point told ZDNet.

“There’s still room for improvement when it comes to less technically interesting challenges like patch management and visibility into critical assets and infrastructure to ensure everything is protected, patched and updated whenever a patch is available from major vendors,” Jens Monrad, principal intelligence analyst at FireEye told ZDNet.

If organisations had followed basic security advice and patched their systems in April, “a lot of the initial compromise could’ve been limited,” Monrad said. But despite the impact of WannaCry, he too believes there’s still work to be done on bolstering systems against major attacks.

“We’re still not where I feel comfortable saying there have been a lot of lessons learned and companies are following the right procedures,” he said.

But despite the damage done by NotPetya, Huss believes that if it hadn’t been for WannaCry and some organisations realising the threat posed by cyber attacks — and therefore bolstering their defences — NotPetya could’ve been much worse.

“NotPetya was a huge incident in terms of cost of money for Maersk and other companies. The question for me is, if WannaCry hadn’t happened, how much worse could’ve been the damage of NotPetya?” he said.

“I really think WannaCry opened a lot of organisations eyes to something as simple as patching, how important it can be,” he added.

One organisation which says it has learned from the WannaCry experience is the NHS. In the year since WannaCry, it announced a number of schemes designed to improve cyber security and resilience throughout the organisation.

“What WannaCry was, was a shot across our bows,” said Dan Taylor, head of security at NHS Digital, speaking at a recent security conference. “But it was not the be-all-and-end-all incident for health care – that day will come, something new will happen, there will be another WannaCry. It will be different to what it was in May last year.”

Taylor said prior to WannaCry, response plans had not been fully tested and that there were mistakes in communication but the organisation will be better braced for any future attacks.

“The thing we’ve done since that is test and test and test again, so if it does happen, hopefully we’ll be in a much better position,” he said.

However, there are still plenty of organisations which, over a year on from the release of the patch, still haven’t applied it. That’s despite the initial impact of WannaCry, and stories of new infections.

While many consider patching systems to be time consuming and disruptive, organisations who fail to update their network in this way are leaving themselves open to attack from cyber attacks – and not just WannaCry.

For Horowitz, one way to ensure that patches are applied to systems — thus helping to protect against destructive cyber attacks — is to make them less intrusive, enabling them to work automatically in the background if possible.

“There needs to be more responsibilities from vendors on security and automating,” she said, pointing to Google Chrome as an example of this working successfully.

“We don’t even know it’s being updated with security patches. But it’s helpful that when they learn about vulnerabilities they fix it for everyone, we don’t need to click anything or restart anything.

WannaCry was by far the most high profile ransomware attack of last year – and while the likes of Locky, Cerber and SamSam continued to find success in the second half of 2017, the file-encrypting malware appears to have fallen out of fashion.

But while ransomware is in your face and obviously, malicious cryptocyrrency mining is secretive, the average user isn’t going to think much about their computer fans working harder or that the reason more power is being used is because attackers are subtly harnessing the power of their system for illicit profit.

But that doesn’t mean the threat of more damaging cyber attacks has gone away, especially when leaked government tools are now in the hands of cyber criminals – and nation-states who weren’t meant to have access to them.

“I would be surprised if this is the last sort of incident we see with these disruptive attacks. Because it is a tool which seems to be highly powerful and also very impactful,” said Monrad.

“And since there’s little risk of repercussions for the states doing this, it makes sense for them to follow that path rather than doing something that might cause sanctions or a physical response.

WannaCry, he suggests, could potentially provide an excellent case study for nation-states on how to carry out a global cyber attack.

“My fear is some of these nations aspiring to become the next cyber superpower, they’re looking into how successful campaigns like WannaCry have been and may be inspired to carry out their operations,” he said.

While organisations can bolster security and patch systems, that isn’t going to stop cyber attackers attempting to carry out a wide-scale destructive campaign. For Horowitz, the biggest takeaway from WannaCry is therefore that everyone is a potential target for attacks.

“The greatest lesson there is that each and every one of us is a target for cyber tools and weapons developed by nation-states,” she said.

“So while we tend to think that hackers will only go for the big fish, that’s not true because we all have something that we care for on our systems, so ransomware, a wiper, a banking trojan, they have something for the hacker on each personal computer.”

There is a silver lining to this – in some circles, WannaCry has improved awareness about the threats posed by hacking and cyber attacks and that action needs to be taken in order to protect against them. However, for some, taking direct action still isn’t quite on the agenda – yet.

“From understanding to implementing, that’s another step, but we’ll get there,” said Horowitz.